Search

Subscribe

Swedish Army Loses Classified Information on Memory Stick

The daily newspaper, Aftonbladet, turned the stick over to the Armed Forces on Thursday. The paper's editorial office obtained the memory stick from an individual who discovered it in a public computer center in Stockholm.

An employee of the Armed Forces has reported that the misplaced USB memory stick belongs to him. The employee contacted his superior on Friday and divulged that he had forgotten the memory stick in a public computer. A preliminary technical investigation confirms that the stick belongs to the employee.

The stick contained both unclassified and classified information such as information regarding IED and mine threats in Afghanistan.

The point is that it's now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I'd never know it.

Comments

The opposite is also occurring in the US. Government agencies are enforcing encrypted volumes on all computers without regard to the type of data and the use of the computer. This is adding huge amounts of overhead to agencies like NOAA that are already strapped for people time. They don't need to spend money and time on encrypting data that is already public. And the software they are using to encrypt all their windows machines is causing lots of problems and delays. Yes, some of their computers and laptops need to be heavily locked down, but blindly applying that to all computers is not smart. Being outside of these gov. agencies, I can actually get work done that civil servants can't do because of all the security restrictions.

As a Swede, I should point out that the Swedish Army is pretty dinky. We haven't been in a war since 1814 (although we do participate in a number of peacekeeping missions, such as in Afghanistan). It wouldn't be totally unfair to say that we have gotten a little complacent about our national security. Not that that is a defence or anything, of course there should be mandatory encryption on all drives with classified material.

What's really amusing is the fact that it was the tabloid Aftonbladet who got hold of the USB mem stick. A week or so ago a hacker group called VFH (vuxna förbannade hackare, in english: adult pissed-off hackers) managed to leak the login details for several of Aftonbladet's journalists' mail accounts, as well as facebook details (for those who apparently used the same pwd).

While the USB-stick contained some classified material, it was of very low value (otherwise this contractor/researcher wouldn't have gotten access to it at all). Needless to say, he broke many rules when he put this information on a USB-stick and brought it to a public library (and plugged it into a public computer, now that’s something). I read in other more trustworthy media* that the Swedish army does in fact have strict policies in place, especially for moderately to highly classified information.

*) You should all know that Aftonbladet is a sensationalist tabloid that shouldn’t be trusted too highly. Ironically, Aftonbladet’s intranet was hacked just a few days ago, and stayed hacked for several days until the hackers published the accounts and passwords to the employees web accessible e-mail (among other awkward information). There were quite a few comic and nasty e-mails being sent from e.g. the executive editor’s account. The CIO used a six letter password, “anakin��?, which I think says quite a lot about Aftonbladet’s own IT security awareness.

This isn't Lt. Col. Super Secret losing next summer's planned troop movements. This is Cpl. Nobody who carries a thumbdrive with powerpoints of "How not to step on a mine" and a the physical fitness test scores of the 6 people on his section.

I disagree that routine drive encryption is a bad thing. There's practically zero overhead in performance or complication (if this is not true, you're using the wrong drive encryption software), and it means that you don't have to think too hard about what you're doing, which is ideal for mass-deployment among non-security-conscious people.

Sure, there are other risks which need to be mitigated in equally non-thinking ways, but routine drive encryption is part of the solution, not part of the problem.

You touch upon a very important issue, the amounts of (personal) data and their dynamics and increasing dramatically and mistakes are bound to be made. When it comes to national security this is grave, but also in terms of our personal reccords held in various insitutions. We see similair problems in the UK and on the USB front in the Netherlands as well.

Bruce,
I enjoy reading your broad perspective on security.
I work in this space and have started a focussed blog on the subject of protecting sensitive data.
I think you and I may have some similar thoughts?

The swedish army uses special encrypting usb-sticks internally when they need to move data physically. The Police are now investigating why this guy used an unsecured stick in a public computer with low grade classified army documents on.